[e5474751] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 | ]>
|
---|
| 7 |
|
---|
| 8 | <sect1 id="ch-system-openssl" role="wrap">
|
---|
| 9 | <?dbhtml filename="openssl.html"?>
|
---|
| 10 |
|
---|
| 11 | <sect1info condition="script">
|
---|
| 12 | <productname>openssl</productname>
|
---|
| 13 | <productnumber>&openssl-version;</productnumber>
|
---|
| 14 | <address>&openssl-url;</address>
|
---|
| 15 | </sect1info>
|
---|
| 16 |
|
---|
| 17 | <title>OpenSSL-&openssl-version;</title>
|
---|
| 18 |
|
---|
| 19 | <indexterm zone="ch-system-openssl">
|
---|
| 20 | <primary sortas="a-OpenSSL">OpenSSL</primary>
|
---|
| 21 | </indexterm>
|
---|
| 22 |
|
---|
| 23 | <sect2 role="package">
|
---|
| 24 | <title/>
|
---|
| 25 |
|
---|
| 26 | <para>The OpenSSL package contains management tools and libraries relating
|
---|
| 27 | to cryptography. These are useful for providing cryptographic functions
|
---|
[6dfcfecc] | 28 | to other packages, such as OpenSSH, email applications, and web browsers
|
---|
[e5474751] | 29 | (for accessing HTTPS sites). </para>
|
---|
| 30 |
|
---|
| 31 | <segmentedlist>
|
---|
| 32 | <segtitle>&buildtime;</segtitle>
|
---|
| 33 | <segtitle>&diskspace;</segtitle>
|
---|
| 34 |
|
---|
| 35 | <seglistitem>
|
---|
[6dfcfecc] | 36 | <seg>&openssl-fin-sbu;</seg>
|
---|
| 37 | <seg>&openssl-fin-du;</seg>
|
---|
[e5474751] | 38 | </seglistitem>
|
---|
| 39 | </segmentedlist>
|
---|
| 40 |
|
---|
| 41 | </sect2>
|
---|
| 42 |
|
---|
| 43 | <sect2 role="installation">
|
---|
| 44 | <title>Installation of OpenSSL</title>
|
---|
[f1b9d9d] | 45 | <!--
|
---|
[e5e442c] | 46 | <para>First fix a problem with some advanced architectures with avx512
|
---|
[0d80e532] | 47 | capability:</para>
|
---|
| 48 |
|
---|
| 49 | <screen><userinput remap="pre">sed -e '/bn_reduce.*m1/i\ factor_size /= sizeof(BN_ULONG) * 8;' \
|
---|
| 50 | -i crypto/bn/rsaz_exp_x2.c</userinput></screen>
|
---|
[f1b9d9d] | 51 | -->
|
---|
[e5474751] | 52 | <para>Prepare OpenSSL for compilation:</para>
|
---|
| 53 |
|
---|
| 54 | <screen><userinput remap="configure">./config --prefix=/usr \
|
---|
| 55 | --openssldir=/etc/ssl \
|
---|
| 56 | --libdir=lib \
|
---|
| 57 | shared \
|
---|
| 58 | zlib-dynamic</userinput></screen>
|
---|
| 59 |
|
---|
| 60 | <para>Compile the package:</para>
|
---|
| 61 |
|
---|
| 62 | <screen><userinput remap="make">make</userinput></screen>
|
---|
| 63 |
|
---|
| 64 | <para>To test the results, issue:</para>
|
---|
| 65 |
|
---|
| 66 | <screen><userinput remap="test">make test</userinput></screen>
|
---|
[d7f58cc] | 67 |
|
---|
[3dc8226] | 68 | <para>One test, 30-test_afalg.t, is known to fail on some kernel
|
---|
| 69 | configurations (depending on inconsistent values of
|
---|
| 70 | CONFIG_CRYPTO_USER_API* settings.) If it fails, it can safely be
|
---|
| 71 | ignored.</para>
|
---|
[d7f58cc] | 72 |
|
---|
[e5474751] | 73 | <para>Install the package:</para>
|
---|
| 74 |
|
---|
| 75 | <screen><userinput remap="install">sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile
|
---|
| 76 | make MANSUFFIX=ssl install</userinput></screen>
|
---|
| 77 |
|
---|
[38de42d] | 78 | <para>Add the version to the documentation directory name, to be
|
---|
| 79 | consistent with other packages:</para>
|
---|
[e5474751] | 80 |
|
---|
[38de42d] | 81 | <screen><userinput remap="install">mv -v /usr/share/doc/openssl /usr/share/doc/openssl-&openssl-version;</userinput></screen>
|
---|
| 82 |
|
---|
| 83 | <para>If desired, install some additional documentation:</para>
|
---|
| 84 |
|
---|
| 85 | <screen><userinput remap="install">cp -vfr doc/* /usr/share/doc/openssl-&openssl-version;</userinput></screen>
|
---|
[e5474751] | 86 |
|
---|
[6df63e4] | 87 | <note>
|
---|
| 88 | <para>
|
---|
| 89 | You should update OpenSSL when a new version which fixes vulnerabilities
|
---|
[0d7dbaf] | 90 | is announced. Since OpenSSL 3.0.0, the OpenSSL versioning scheme
|
---|
| 91 | follows the MAJOR.MINOR.PATCH format. API/ABI compatibility
|
---|
[5042efcc] | 92 | is guaranteed for the same MAJOR version number. Because LFS
|
---|
[0d7dbaf] | 93 | installs only the shared libraries, there is no need to recompile
|
---|
| 94 | packages which link to
|
---|
| 95 | <filename class="libraryfile">libcrypto.so</filename> or
|
---|
[6df63e4] | 96 | <filename class="libraryfile">libssl.so</filename>
|
---|
[5042efcc] | 97 | <emphasis>when upgrading to a version with the same MAJOR version
|
---|
| 98 | number</emphasis>.
|
---|
[6df63e4] | 99 | </para>
|
---|
| 100 |
|
---|
[ad09ba4] | 101 | <!-- https://bugzilla.mindrot.org/show_bug.cgi?id=3548 -->
|
---|
[bbaf00d] | 102 | <para>
|
---|
| 103 | If <application>OpenSSH</application> is installed, it will be an
|
---|
| 104 | exception of the general rule above. It contains an
|
---|
| 105 | over-restrictive OpenSSL version check, so both SSH client and SSH
|
---|
[ad09ba4] | 106 | server will refuse to start if OpenSSL
|
---|
[bbaf00d] | 107 | is updated with MAJOR version number unchanged but MINOR version
|
---|
| 108 | number changed. You need to rebuild
|
---|
| 109 | <application>OpenSSH</application> after such an upgrade.
|
---|
| 110 | <emphasis role='bold'>If <application>OpenSSH</application> is being
|
---|
| 111 | used to access the system, you must rebuild and reinstall it
|
---|
| 112 | after upgrading OpenSSL to a new MINOR version number before logout
|
---|
| 113 | or you won't be able to login via SSH anymore.</emphasis>
|
---|
| 114 | </para>
|
---|
| 115 |
|
---|
[6df63e4] | 116 | <para>
|
---|
| 117 | However, any running programs linked to those libraries need to be stopped
|
---|
[59fef4c] | 118 | and restarted. Read the related entries in
|
---|
| 119 | <xref linkend='pkgmgmt-upgrade-issues'/> for details.
|
---|
[6df63e4] | 120 | </para>
|
---|
| 121 |
|
---|
| 122 | </note>
|
---|
| 123 |
|
---|
[e5474751] | 124 | </sect2>
|
---|
| 125 |
|
---|
[6dfcfecc] | 126 | <!-- - - - - - - - - - -->
|
---|
| 127 | <!-- Multilib - 32bit -->
|
---|
| 128 | <!-- - - - - - - - - - -->
|
---|
[fd48baa] | 129 |
|
---|
| 130 | <sect2 arch="ml_32,ml_all" role="installation">
|
---|
[6dfcfecc] | 131 | <title>Installation of OpenSSL - 32bit</title>
|
---|
[b3f1ebb3] | 132 |
|
---|
| 133 | <para>Clean previous build:</para>
|
---|
| 134 |
|
---|
| 135 | <screen><userinput remap="pre">make distclean</userinput></screen>
|
---|
| 136 |
|
---|
| 137 | <para>Prepare OpenSSL for compilation:</para>
|
---|
| 138 |
|
---|
[9d1c903] | 139 | <screen><userinput remap="configure">CFLAGS="-m32 -march=i686 -Wall -O3" CXXFLAGS="$CFLAGS" \
|
---|
| 140 | ./config --prefix=/usr \
|
---|
| 141 | --openssldir=/etc/ssl \
|
---|
| 142 | --libdir=lib32 \
|
---|
| 143 | shared \
|
---|
| 144 | zlib-dynamic \
|
---|
| 145 | linux-generic32</userinput></screen>
|
---|
[b3f1ebb3] | 146 |
|
---|
| 147 | <para>Compile the package:</para>
|
---|
| 148 |
|
---|
| 149 | <screen><userinput remap="make">make</userinput></screen>
|
---|
[6dfcfecc] | 150 |
|
---|
[b3f1ebb3] | 151 | <para>Install the package:</para>
|
---|
| 152 |
|
---|
| 153 | <screen><userinput remap="install">make DESTDIR=$PWD/DESTDIR install
|
---|
[0ebda11] | 154 | cp -Rv DESTDIR/usr/lib32/* /usr/lib32
|
---|
[b3f1ebb3] | 155 | rm -rf DESTDIR</userinput></screen>
|
---|
| 156 |
|
---|
[6dfcfecc] | 157 | </sect2><!-- m32 -->
|
---|
[b3f1ebb3] | 158 |
|
---|
[6dfcfecc] | 159 | <!-- - - - - - - - - - -->
|
---|
| 160 | <!-- Multilib - x32bit -->
|
---|
| 161 | <!-- - - - - - - - - - -->
|
---|
[fd48baa] | 162 |
|
---|
| 163 | <sect2 arch="ml_x32,ml_all" role="installation">
|
---|
[6dfcfecc] | 164 | <title>Installation of OpenSSL - x32bit</title>
|
---|
[b3f1ebb3] | 165 |
|
---|
| 166 | <para>Clean previous build:</para>
|
---|
| 167 |
|
---|
| 168 | <screen><userinput remap="pre">make distclean</userinput></screen>
|
---|
| 169 |
|
---|
| 170 | <para>Prepare OpenSSL for compilation:</para>
|
---|
| 171 |
|
---|
[9d1c903] | 172 | <screen><userinput remap="configure">CFLAGS="-mx32 -march=x86-64 -Wall -O3" CXXFLAGS="$CFLAGS" \
|
---|
| 173 | ./config --prefix=/usr \
|
---|
| 174 | --openssldir=/etc/ssl \
|
---|
| 175 | --libdir=libx32 \
|
---|
| 176 | shared \
|
---|
| 177 | zlib-dynamic \
|
---|
| 178 | linux-x32</userinput></screen>
|
---|
[b3f1ebb3] | 179 |
|
---|
| 180 | <para>Compile the package:</para>
|
---|
| 181 |
|
---|
| 182 | <screen><userinput remap="make">make</userinput></screen>
|
---|
[6dfcfecc] | 183 |
|
---|
[b3f1ebb3] | 184 | <para>Install the package:</para>
|
---|
| 185 |
|
---|
| 186 | <screen><userinput remap="install">make DESTDIR=$PWD/DESTDIR install
|
---|
[0ebda11] | 187 | cp -Rv DESTDIR/usr/libx32/* /usr/libx32
|
---|
[b3f1ebb3] | 188 | rm -rf DESTDIR</userinput></screen>
|
---|
| 189 |
|
---|
[6dfcfecc] | 190 | </sect2><!-- mx32 -->
|
---|
[b3f1ebb3] | 191 |
|
---|
[e5474751] | 192 | <sect2 id="contents-openssl" role="content">
|
---|
| 193 | <title>Contents of OpenSSL</title>
|
---|
| 194 |
|
---|
| 195 | <segmentedlist>
|
---|
| 196 | <segtitle>Installed programs</segtitle>
|
---|
| 197 | <segtitle>Installed libraries</segtitle>
|
---|
| 198 | <segtitle>Installed directories</segtitle>
|
---|
| 199 |
|
---|
| 200 | <seglistitem>
|
---|
| 201 | <seg>
|
---|
| 202 | c_rehash and openssl
|
---|
| 203 | </seg>
|
---|
| 204 | <seg>
|
---|
[032dc4e8] | 205 | libcrypto.so and libssl.so
|
---|
[e5474751] | 206 | </seg>
|
---|
| 207 | <seg>
|
---|
| 208 | /etc/ssl,
|
---|
| 209 | /usr/include/openssl,
|
---|
| 210 | /usr/lib/engines and
|
---|
| 211 | /usr/share/doc/openssl-&openssl-version;
|
---|
| 212 | </seg>
|
---|
| 213 | </seglistitem>
|
---|
| 214 | </segmentedlist>
|
---|
| 215 |
|
---|
| 216 | <variablelist>
|
---|
| 217 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
| 218 | <?dbfo list-presentation="list"?>
|
---|
| 219 | <?dbhtml list-presentation="table"?>
|
---|
| 220 |
|
---|
| 221 | <varlistentry id="c_rehash">
|
---|
| 222 | <term><command>c_rehash</command></term>
|
---|
| 223 | <listitem>
|
---|
| 224 | <para>
|
---|
[0b0fa07] | 225 | is a <application>Perl</application> script that
|
---|
| 226 | scans all files in a directory and adds symbolic links to their
|
---|
| 227 | hash values. Use of <command>c_rehash</command> is considered
|
---|
| 228 | obsolete and should be replaced by
|
---|
| 229 | <command>openssl rehash</command> command
|
---|
[e5474751] | 230 | </para>
|
---|
| 231 | <indexterm zone="ch-system-openssl c_rehash">
|
---|
| 232 | <primary sortas="b-c_rehash">c_rehash</primary>
|
---|
| 233 | </indexterm>
|
---|
| 234 | </listitem>
|
---|
| 235 | </varlistentry>
|
---|
| 236 |
|
---|
| 237 | <varlistentry id="openssl-prog">
|
---|
| 238 | <term><command>openssl</command></term>
|
---|
| 239 | <listitem>
|
---|
| 240 | <para>
|
---|
| 241 | is a command-line tool for using the various cryptography functions
|
---|
| 242 | of <application>OpenSSL</application>'s crypto library from the
|
---|
| 243 | shell. It can be used for various functions which are documented in
|
---|
[4c8c128] | 244 | <command>man 1 openssl</command>
|
---|
[e5474751] | 245 | </para>
|
---|
| 246 | <indexterm zone="ch-system-openssl openssl-prog">
|
---|
| 247 | <primary sortas="b-openssl">openssl</primary>
|
---|
| 248 | </indexterm>
|
---|
| 249 | </listitem>
|
---|
| 250 | </varlistentry>
|
---|
| 251 |
|
---|
| 252 | <varlistentry id="libcrypto">
|
---|
| 253 | <term><filename class="libraryfile">libcrypto.so</filename></term>
|
---|
| 254 | <listitem>
|
---|
| 255 | <para>
|
---|
| 256 | implements a wide range of cryptographic algorithms used in various
|
---|
| 257 | Internet standards. The services provided by this library are used
|
---|
| 258 | by the <application>OpenSSL</application> implementations of SSL,
|
---|
| 259 | TLS and S/MIME, and they have also been used to implement
|
---|
| 260 | <application>OpenSSH</application>,
|
---|
| 261 | <application>OpenPGP</application>, and other cryptographic
|
---|
[4c8c128] | 262 | standards
|
---|
[e5474751] | 263 | </para>
|
---|
| 264 | <indexterm zone="ch-system-openssl libcrypto">
|
---|
| 265 | <primary sortas="c-libcrypto">libcrypto.so</primary>
|
---|
| 266 | </indexterm>
|
---|
| 267 | </listitem>
|
---|
| 268 | </varlistentry>
|
---|
| 269 |
|
---|
| 270 | <varlistentry id="libssl">
|
---|
| 271 | <term><filename class="libraryfile">libssl.so</filename></term>
|
---|
| 272 | <listitem>
|
---|
| 273 | <para>
|
---|
| 274 | implements the Transport Layer Security (TLS v1) protocol.
|
---|
| 275 | It provides a rich API, documentation
|
---|
[ce536f9] | 276 | on which can be found by running <command>man 7 ssl</command>
|
---|
[e5474751] | 277 | </para>
|
---|
| 278 | <indexterm zone="ch-system-openssl libssl">
|
---|
| 279 | <primary sortas="c-libssl">libssl.so</primary>
|
---|
| 280 | </indexterm>
|
---|
| 281 | </listitem>
|
---|
| 282 | </varlistentry>
|
---|
| 283 |
|
---|
| 284 | </variablelist>
|
---|
| 285 |
|
---|
| 286 | </sect2>
|
---|
| 287 |
|
---|
| 288 | </sect1>
|
---|